Each year about this time I distribute a PSA about credit card fraud for nonprofits in particular, but keep inmind, this is applicable to all business types.
I am republishing it once again.
Please feel free to share this widely in hopes it protects at least one person, organization, or company from fraudulent credit card processing problems. Not Linkedin-related, but useful for all to become educated and forwarned.
What to Do Now to Ward off Fraudulent Donations
By Marc W. Halpert
Online donations are designed to be easy for donors to use. Unfortunately, they can be easy targets for thieves too, seeking a testing place for stolen credit card data to make false donations, hundreds of them in a flash. There is an upswing in nonprofits being attacked online.
When you discover your donation site has been compromised, you feel vulnerable, lacking full control, and worst of all, have to explain to your management and Board why this happened.
Here’s what can happen:
The thief purchased thousands of stolen credit card records on the internet and blasted that data at your website donation page, hoping some would succeed. Then knowing which few credit cards actually did work, he goes off to another website and uses them again, for a higher amount, perhaps this time for electronics or other items. The game is over when the cardholder’s bank notices the card has been used irregularly and cancels it. Thieves seem to start with small dollar donations at nonprofits, under bank radar screens for meaningful fraud transactions. They are hoping nonprofits are not as aware of their bank account activity and cash flow as are for-profits. Wrong assumption, but this is the mentality.
In retrospect, when you are tested with fraudulent donations, your online donation mechanism functioned fine; you didn’t set the controls on your gateway and donation page tightly enough. (A gateway is the online service that links a donation page to the merchant accounts. It’s also the place where the current day and historic donation data is stored for bank account reconciliation and statistical purposes).
Before this happens to your organization, consider procedures to prevent and control future abuse (easily accomplished with the assistance of your merchant account and/or gateway vendors).
Give careful forethought to implement some, if not all, of these:
- Set a minimum dollar threshold on your gateway to preclude small bogus transactions (in recent cases, 7 cents or $1.03) from slipping through.
- Address verification service (AVS) must be enabled on your gateway. You want the combined house number AND the 5 digit zip code of the cardholder to match the AVS algorithm used by the card brands to successfully process a card.
- Some well-regarded gateways allow you to block computer IP addresses in selected foreign countries. As an option you can set the gateway to reject all but those in the USA, if appropriate for your donor base.
- Ask your web developer to identify the thief’s IP address. Set the cart to recognize that IP address in the future and automatically direct him to a government website (like FBI.gov).
- Think about including a CAPTCHA or “I am not a robot” challenge-response test as well. You want a human to make a donation, and these block fraudulent robo-processing.
- Be sure donations are reported to multiple email boxes so at least one of your fellow staff will notice immediately if a vulnerability occurs. If staffers work outside of the office, be sure transaction notifications buzz on their cellphones. Thieves assume you are not watching and can work their mayhem on weekends and in the middle of the night.
- Some strong gateways use artificial intelligence and report to you anything that seems awry. They work 24x7x366. Be sure you can heed their warning to multiple staff cellphones at any time.
- Manually reverse every successful transaction that doesn’t belong to you via the gateway refund function (immediately!). Your fee for a chargeback (when a consumer declines a purchase by starting a documentary process with his bank to reverse the card transaction) is usually $25. Prevent being hit with $25,000 in chargeback fees if you receive 1,000 7-cent fraudulent transactions!
- If you have a concern, contact your merchant account salesperson immediately so he/she can advise you how to best notify the fraud experts of the online payment vendors you use. There are established fraud protocols that card processors and gateways follow.
- Finally, review your transactions at least daily. Pay attention to which ones failed, look for patterns of odd transactions and report them immediately by phone, not via an online service ticket, for fastest servicing.
This article is provided as a value-added service to my clients, non-profits, for-profit companies, and professional practices.
©Marc W. Halpert 2018 All rights reserved
I hope this article will save at least one person, company, or organization this heartache.